Editor’s Note: We asked privacy pros to weigh in with their recommendations for getting board or executive-level support for privacy efforts and building strong privacy programs. In this series, Norine Primeau-Menzies, CIPP/C, Chris Pahl, CIPP/G, CIPP/US, and Michael Spadea, CIPP/US, share insights they’ve gained from their work. More experts in the privacy field will discuss obtaining and sustaining executive buy-in and other key issues during the preconference workshop Getting Results: 13 Proven Tips for Managing an Effective Privacy Program at the IAPP Privacy Academy in San Jose, CA, on October 10.

Four essential aspects to winning executive support for your work

How do you influence your boss? How do you get your boss to recognize your work among competitive peers? As Jay A. Conger once wrote in his oft-cited Harvard Business Review article “The Necessary Art of Persuasion,” there are four essential aspects to achieving these goals:

1. Establish credibility.
2. Frame goals to have common ground with those you wish to persuade.
3. Tell a great story, and have compelling evidence.
4. Connect emotionally.

Credibility

Building credibility begins the first day you start in the privacy field. Degrees and certifications are important, but there is no substitute for prior experience and success; senior managers are looking for employees who can pick up the ball and move it past the goal line. You pick up the ball every time you accept a task—and you move it across the goal line when you meet or exceed your bosses’ expectations.

A boss is anyone who can influence whether you are able to successfully get your job done. They are also the people who can put you in front of executives. Regardless, you need their support.

To gain credibility in your organization, you need to know privacy better than anyone else in the organization and have a deep understanding of privacy in the context of your organization and industry. Every time you provide advice, it must evidence your complete understanding of these two points. Actively listening to the needs of your organization is critical.

If you aren’t sure what your credibility level is, ask your boss for an honest appraisal. Speak to colleagues you can trust for their discretion and honesty.

If feedback is less than stellar, take action. Educate yourself by cracking the books every night and obtaining relevant certifications. Stay on top of current affairs and new technological developments. Obtain a mentor and collaborate with colleagues on industry initiatives.

If your team lacks credibility, consider making personnel changes and bringing in superstars. If an initiative lacks credibility, try running a pilot and building evidence to support your contention that there is a problem and that your solution is the best.

A privacy manager I know briefly lost credibility when he failed to submit a privacy initiative presentation on time. He regained his credibility after successfully managing a major privacy/security threat three months later, one that caught his entire industry by surprise. The manager spent six weeks in a foreign country, immersing himself in local privacy law, up to his neck in policies and operations. After a brutal but ultimately successful three-hour presentation to the board audit committee, his original privacy initiative moved from the director to the COO within a month. The manager was offered a seat on the organization’s strategy steering committee the following day.

Common ground, common goals

It’s important to understand what your executive’s goals are and to recast your goals in the same light. Is your executive focused on cost-cutting or revenue growth? The distinction is critical—consider both the short- and long-term consequences of this oversight. By pushing a cost-saving data accuracy initiative in a growth-focused environment, you are effectively showing that you do not understand the organization’s objectives. The initiative will not be funded, and the misdirected effort may result in your budget being diverted to a different department that is focused on bringing in new business. It may be difficult to recover this budget in the following year.

Know what your various bosses’ priorities are. Listen to how they describe their interactions with the CEO, the COO and the board. Follow up your successful deliverables with coffee meetings to understand the culture and goals of your organization and executives. In each meeting, build support for your initiative as you begin to develop it. Incorporating the feedback and being prepared for hard questions will strengthen your initiative and your presentation. If you have support of your colleagues in business, legal, IT, etc., executives will be hard-pressed to say “no.”

In dealing with executives, the late, famed management consultant Peter Drucker advocated the following:

• Test your position many, many times.
• Know your weaknesses and the alternative positions.
• Know what your executive wants to know.
• Identify the shared benefits.
• Know what the executive expects to see and hear.
• Make sure your initiative meets the executive’s needs.
• Do not assume the executive understands what you are saying.
• Prepare carefully.
• Be prepared to adjust your position.
• Know the investment of time and money required.

Consider this example: Competing departments at one firm were pitching their CEO and board on different versions of a privacy program in response to regulator criticism over the organization’s inadequate existing privacy program. To this CEO, a successfully revised program meant not only repairing the brand damage but also recasting the brand as an industry model. While many of his directors offered excellent remediation plans, only one director offered a plan that burnished the company’s brand at every step. She knew what the CEO wanted because of her extensive internal networking and active listening. The CEO supported her plan, and the board adopted and funded it.

Tell a great story; have compelling evidence

Drucker captured this perfectly: Information is encoded. You must decode it for the recipient.

Here are a couple of real-life examples of great stories and compelling evidence.

A product manager for a mobile phone messaging application was visiting a neighbor for dinner, during which the neighbor’s 16-year-old daughter complained about the recent removal of a feature that disabled “read receipt” requests from senders. Now she couldn’t prevent senders from knowing exactly when she’d opened their messages, and she felt pressured to respond promptly. Failure to do so often resulted in a flurry of follow-up messages, some of them not very polite. She also did not have time to consult with her friends on an appropriate response—a particularly perilous situation for a 16-year-old negotiating gender politics through text messaging. After consulting his own teenage daughter, who vehemently agreed with the neighbor, the product manager investigated further and found that there indeed had been many similar complaints. Armed with a compelling story that humanized the problem—and knowing that the executive had two teen daughters—the manager successfully argued for reinstatement of the feature.

In another notable example, several years ago, a regulator opened an investigation into one company’s division because a document containing sensitive information had been sent to the wrong person. Regulators don’t usually open investigations over one document going astray, but another division in the organization had sent 10,000 documents containing sensitive information to the wrong addressees the month before. Aware of the negative publicity that could potentially engulf the division, its president scheduled a strategy meeting the next morning, led by the division’s head of privacy. As it happened, six months before the incident, the privacy head had begun collecting and collating a series of metrics designed to measure all documents sent to the wrong addresses. Issues were identified and resolved. At the meeting, he displayed a pie chart illustrating the division’s performance, its error rate represented by a thin black line in an otherwise uninterrupted sea of green. He pointed to the line. “We have an error rate of .000017 percent,” he said, not without a hint of pride. The meeting ended quickly, as did the regulatory investigation.

Tell a meaningful story, have compelling evidence and display it in a vivid, graphic and easily understandable format.

Evidence of the following is often compelling:

• Incidents within your organization;
• Incidents within your industry;
• Analogous incidents within other organizations; e.g., what’s the equivalent of a BP oil spill within your organization;
• Enforcement actions mapped to identified risks within your organization;
• Incidents or risks that would prevent achievement of your executives’ goals;
• Cost and revenue;
• Competitive advantage, and
• Brand damage or enhancement.

Connect emotionally

I watched Steve Ballmer work the crowd at a Microsoft company meeting a few years ago. When he was done, I was pumped! While it’s very possible Ballmer is the only CEO in America who can get away with jumping three feet into the air and backslapping executives hard enough to leave bruising, executives do like passion—a lot. It’s hard to excel; if it were easy, everyone would do it. But passion can carry you through those 2 a.m. nights reviewing ISO 27001 evidence to make sure your business is ready to soar through its third-party audit and certification. Passion, enthusiasm, a love for your work and a desire to succeed are recognized by executives as motivators to deliver a timely and superior work product.

Channel that passion into your executive presentations. Ideally, you want to find a common passion. The mobile application product manager had it right when he told the story about the teenage girl to an executive who had two teen daughters at home.

Above all, know when to adjust to the emotional mood of your audience. There are few hard and fast rules in this regard, but nobody knows your organization as well as you do, and tailoring the tone of your interactions can ultimately be the difference between delivering a successful presentation and falling flat.